Bug 1109759
Summary: | Rebase bind-dyndb-ldap to latest upstream version | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin Kosek <mkosek> |
Component: | bind-dyndb-ldap | Assignee: | Petr Spacek <pspacek> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.1 | CC: | jgalipea, pspacek |
Target Milestone: | rc | Keywords: | Rebase |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | bind-dyndb-ldap-6.0-1.el7 | Doc Type: | Rebase: Bug Fixes and Enhancements |
Doc Text: |
Feature:
Enhancements
============
* Read-query performance is nearly same as with plain BIND and queries for non-existing records do not impose additional load on LDAP server.
* Wildcard records are supported. For details please see RFC 4592.
http://tools.ietf.org/html/rfc4592
* Incremental Zone Transfers (IXFR, RFC 1995) are supported.
http://tools.ietf.org/html/rfc1995
* DNS root zone (".") can be stored in LDAP.
* DNSSEC in-line signing is supported for master zones. Any master zone in LDAP can be signed with keys provided by user.
Behavioral changes & upgrade
============================
* Forwarder semantic was changed to match BIND's semantic:
- idnsZone objects always represent master zones
- idnsForwardZone objects (new) always represent forward zones
!!! Users are responsible for upgrading their own data in LDAP. !!!
Upgrade:
1) Start with upgrading bind-dyndb-ldap package on all servers to latest version provided with RHEL 7.0. This step will help you minize downtime because bind-dyndb-ldap-3.5 supports old and new formats at the same time.
2) Retrieve zones stored in the old format:
$ ldapsearch -Y GSSAPI -b 'cn=dns, dc=ipa, dc=example' '(&(objectClass=idnsZone)(idnsForwarders=*)(!(idnsForwardPolicy=none)))' objectClass idnsName idnsZoneActive idnsForwarders idnsForwardPolicy > old_zones.ldif
# NOTE: parameters -Y and -b need to be tweaked according to your local configuration. #
3) Change objectClass attribute in old_zones.ldif by replacing 'idnsZone' with 'idnsForwardZone'. Resulting LDIF should have this form:
dn: idnsName=example.com,cn=dns,dc=ipa,dc=example
objectClass: top
objectClass: idnsForwardZone
idnsName: example.com
idnsZoneActive: TRUE
idnsForwarders: 192.0.2.1
idnsForwardPolicy: only
4) Delete old objects from LDAP.
5) Import modified objects to LDAP.
http://www.freeipa.org/page/V4/Forward_zones#Updates_and_Upgrades
* Persistent search and zone refresh mechanism were replaced by RFC 4533 (aka SyncRepl).
** Options zone_refresh, cache_ttl and psearch were removed and should be droped from /etc/named.conf or equivalent file.
** Also support for LDAP attributes idnsZoneRefresh and idnsPersistentSearch was removed and these attributes should be removed from LDAP.
** From now on, the bind-dyndb-ldap plugin will work only with RFC 4533-compliant LDAP servers. Please configure your LDAP sever accordingly.
* SOA serial auto-increment feature is now mandatory. The plugin has to have write access to LDAP.
* Data from LDAP are not served to clients until initial synchronization with LDAP is finished. All queries received during initial synchronization are processed as if bind-dyndb-ldap were not configured, i.e. can be answered with NXDOMAIN or .
* Plug-in creates journal file for each DNS zone in LDAP. (This allows us to support IXFR.) Working directory has to be writable by named. Please see README if you have tweaked BIND and bind-dyndb-ldap configurations.
Bug fixes
=========
* Many :-)
* Most important one: Kerberos ticket expiration is now handled correctly.
Known problems and limitations
==============================
* LDAP MODRDN (rename) is not supported at the moment:
https://bugzilla.redhat.com/show_bug.cgi?id=1139776
* Zones and records deleted when connection to LDAP is down are not refreshed properly after re-connection:
https://bugzilla.redhat.com/show_bug.cgi?id=1139778
Reason:
We wanted to provide new features.
Result:
New features are available :-)
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-03-05 09:29:17 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1044159, 1044170, 1044171 | ||
Bug Blocks: | 957249, 1078295, 1082754, 1113520, 1138317, 1370126 |
Description
Martin Kosek
2014-06-16 10:25:03 UTC
I'm adding 389 DS bugs which makes new version of bind-dyndb-ldap unusable. I'm renaming the bug to reflect latest requiements. Verified version of bind-dyndb-ldap in rhel7.1 # rpm -qa bind-dyndb-ldap bind-dyndb-ldap-6.0-2.el7.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0424.html |